pykerberos for trusty does not include CVE-2015-3206 fix

Bug #1716429 reported by Mathieu Lafon on 2017-09-11
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pykerberos (Ubuntu)
Medium
Unassigned
Trusty
Medium
Steve Beattie

Bug Description

The current version of pykerberos for trusty does not include the fix for CVE-2015-3206 (KDC authenticity verification), although it is included in both surrounding LTS releases:

- precise (12.04.5 LTS): 1.1+svn4895-1+deb6u1build0.12.04.1, fix included
- trusty (14.04.5 LTS): 1.1+svn10616-2, fix *not* included
- xenial (16.04.3 LTS): 1.1.5-2build1, fix included

This causes two problems:
- This is a non-patched security issue (which has been patched in previous LTS)
- As the kerberos.checkPassword arguments are incompatible when the fix is applied, a program working with 12.04 and 16.04, does not work with 14.04.

CVE References

Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in pykerberos (Ubuntu):
status: New → Incomplete
Seth Arnold (seth-arnold) wrote :

Hello Mathieu; pykerberos is in universe, so it is community supported. It looks like we were able to bring in an update from Debian via our "security fake sync" process for 12.04 LTS but not for 14.04 LTS. By the time of 16.04 LTS we imported the fix directly from Debian.

Is there any chance you can prepare an update for us to sponsor for 14.04 LTS?

Thanks

Mathieu Lafon (mlafon) wrote :

Hello Seth.

Sure. The patch in xenial does apply on the trusty version and is working as expected. I have attached a debdiff which you can use if you want to sponsor the update.

Thanks

information type: Private Security → Public Security
Simon Quigley (tsimonq2) on 2017-09-13
Changed in pykerberos (Ubuntu):
status: Incomplete → Confirmed
status: Confirmed → Fix Released
importance: Undecided → Medium
Changed in pykerberos (Ubuntu Trusty):
importance: Undecided → Medium
status: New → Confirmed
Simon Quigley (tsimonq2) wrote :

Hello Mathieu,

Two things about your debdiff that I would suggest before this is uploaded:
 1. Please set the priority to medium in the changelog to match the CVE priority, and I'm not sure the references to the other releases are needed, this can be dealt with in the DEP-3 header (see below).
 2. Adding a DEP-3 header helps parse your patch in a machine-readable format, please update your patch to use it: http://dep.debian.net/deps/dep3/

Lastly, in order to properly do the triaging on the tracker[1], could you please tell us if Zesty and Artful are applicable, or if it is fixed in Xenial and on, and also which upstream release it was fixed in?

After the above is taken care of, it should be good to upload, unless anyone else has feedback. Thank you for your contribution to Ubuntu and your willingness to get this fixed!

[1] https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3206.html

Mathieu Lafon (mlafon) wrote :

Hello Simon,

On which patch do you expect me to add DEP-3 header? Is it the debdiff or the included patch (Add-KDC-authenticity-verification-support-CVE-2015-3206.patch)?

Regarding upstream, the patch has been included in 1.1.6 and updated in 1.1.10 regarding the 'verify' option (should have been optional but it was not the case in the first patch).

Ref:
* https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
* https://github.com/02strich/pykerberos/commit/5867201f1b9c682402aa9b495a654b8f346c8784

Regarding the ubuntu versions:
* precise: based on 1.1+svn4895, patch included
* trusty: based on 1.1+svn10616, patch *not* included
* vivid: based on 1.1.5, patch *not* included
* xenial: based on 1.1.5, patch included (updated with second fix)
* zesty: based on 1.1.5, patch included (updated with second fix)
* artful: based on 1.1.5, patch included (updated with second fix)

So only trusty and vivid lack the security patch. I don't know if there's a need to patch vivid as it has already reached EOL.

Simon Quigley (tsimonq2) wrote :

Hello Mathieu,

Please add the DEP-3 header to the included patch (Add-KDC-authenticity-verification-support-CVE-2015-3206.patch).

Thanks for the triaging, I can get that on the tracker next time I do some triaging (unless a member of ~ubuntu-security wants to take care of it).

Thank you!

Seth Arnold (seth-arnold) wrote :

Hrm, the debdiff includes:

++ const int verify = 1;

This patch from upstream removed the 'const':

https://github.com/02strich/pykerberos/commit/873fca96cb42ff1c163859a5618dc9983796f438

The commit message includes this "gcc didn't respect the const qualifiers, however" -- I'm not sure I like relying upon a whim of gcc for this.

This debdiff does grab the ssss|b vs ssssb change though.

Does anything ever want verify = false?

Thanks

Mathieu Lafon (mlafon) wrote :

Here is a new debdiff with the following changes:
- Updated priority in changelog
- Added DEP-3 headers in included patch
- Removed const qualifier

Regards.

Steve Beattie (sbeattie) wrote :

Hi Mathieu,

When debian fixed this issue for Jessie and Wheezy (their stable releases), they left the default to off, in order to not break existing setups that aren't prepared to do validation of the KDC (as it requires possibly setting up an additional keytab). The update for Ubuntu 12.04 LTS included this default. I think this is the sensible thing to do for Ubuntu 14.04 LTS.

(See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796195 and in particular, the added NEWS entry in http://launchpadlibrarian.net/211063096/pykerberos_1.1+svn4895-1build2_1.1+svn4895-1+deb6u1build0.12.04.1.diff.gz for explanation.)

I'm touching up your debdiff to do this (and include a similar NEWS entry), and will push this to trusty-security next week.

Thanks.

Changed in pykerberos (Ubuntu Trusty):
assignee: nobody → Steve Beattie (sbeattie)
Mathieu Lafon (mlafon) wrote :

Hi Steve,

> When debian fixed this issue [...], they left the default to off, in order to not break [...]
> The update for Ubuntu 12.04 LTS included this default.

You're correct about debian, but this is not exactly what is in the 12.04 LTS update. The patch for precise has two issues:
- The default value for 'verify' in the source code (src/kerberos.c) is 1 (enabled) although pysrc/kerberos.py (only used for documentation) has 'verify=False'
- The 'verify' argument was not made optional in the PyArg_ParseTuple() call so whatever default value was specified, the call would fail if there was not 5 parameters.

So 12.04 LTS already broke existing setups (and I was personally impacted at that time).

The patch included in xenial has then fixes these issues:

pykerberos (1.1.5-2):
  * [d3133b6] Set verify=True in docs too. This makes the docs consistent
    with the default behaviour of the function.
  * [792f3b6] Make verify option really optional. So far it correctly
    defaulted to true but couldn't be skipped.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pykerberos - 1.1+svn10616-2ubuntu0.1

---------------
pykerberos (1.1+svn10616-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: The checkPassword function does not authenticate the
    KDC it attempts to communicate with (LP: #1716429)
    - Add-KDC-authenticity-verification-support-CVE-2015-3206.patch
      retrieved from xenial version (1.1.5-2build1).
    - CVE-2015-3206
    - debian/NEWS: add explanation of issue and default chosen

 -- Mathieu Lafon <email address hidden> Thu, 05 Oct 2017 09:32:55 +0200

Changed in pykerberos (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.